commit docker for openSUSE:Factory

root Thu, 07 Sep 2017 13:12:33 -0700

Hello community,

here is the log from the commit of package docker for openSUSE:Factory checked 
in at 2017-09-07 22:11:56
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/docker (Old)
 and      /work/SRC/openSUSE:Factory/.docker.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Package is "docker"

Thu Sep  7 22:11:56 2017 rev:59 rq:521899 version:17.04.0_ce

Changes:
--------
--- /work/SRC/openSUSE:Factory/docker/docker.changes    2017-08-17 
11:44:05.589963477 +0200
+++ /work/SRC/openSUSE:Factory/.docker.new/docker.changes       2017-09-07 
22:12:01.872978684 +0200
@@ -1,0 +2,20 @@
+Wed Sep  6 11:42:31 UTC 2017 - [email protected]
+
+- devicemapper: add patch to make the dm storage driver remove a container's
+  rootfs mountpoint before attempting to do libdm operations on it. This helps
+  avoid complications when live mounts will leak into containers. Backport of
+  https://github.com/moby/moby/pull/34573. bsc#1045628
+  + bsc1045628-0001-devicemapper-remove-container-rootfs-mountPath-after.patch
+
+-------------------------------------------------------------------
+Wed Aug 30 14:58:52 UTC 2017 - [email protected]
+
+- Fix a regression in our SUSE secrets patches, which caused the copied files
+  to not carry the correct {uid,gid} mapping when using user namespaces. This
+  would not cause any bugs (SUSEConnect does the right thing anyway) but it's
+  possible some programs would not treat the files correctly. This is
+  tangentially related to bsc#1055676.
+  * secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch
+  * secrets-0002-SUSE-implement-SUSE-container-secrets.patch
+
+-------------------------------------------------------------------

New:
----
  bsc1045628-0001-devicemapper-remove-container-rootfs-mountPath-after.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ docker.spec ++++++
--- /var/tmp/diff_new_pack.4KXeCw/_old  2017-09-07 22:12:03.100805638 +0200
+++ /var/tmp/diff_new_pack.4KXeCw/_new  2017-09-07 22:12:03.104805074 +0200
@@ -58,6 +58,8 @@
 Patch400:       bsc1037436-0001-client-check-tty-before-creating-exec-job.patch
 # PATCH-FIX-UPSTREAM: Backport of https://github.com/moby/moby/pull/33250 
(bsc#1037607).
 Patch401:       
bsc1037607-0001-apparmor-make-pkg-aaparser-work-on-read-only-root.patch
+# PATCH-FIX-UPSTREAM: Backport of https://github.com/moby/moby/pull/34573 
(bsc#1045628)
+Patch402:       
bsc1045628-0001-devicemapper-remove-container-rootfs-mountPath-after.patch
 BuildRequires:  audit
 BuildRequires:  bash-completion
 BuildRequires:  ca-certificates
@@ -176,8 +178,12 @@
 %patch201 -p1
 %endif
 %patch300 -p1
+# bsc#1037436
 %patch400 -p1
+# bsc#1037607
 %patch401 -p1
+# bsc#1045628
+%patch402 -p1
 cp %{SOURCE7} .
 cp %{SOURCE10} .
 

++++++ 
bsc1045628-0001-devicemapper-remove-container-rootfs-mountPath-after.patch 
++++++
>From be9eaee9e25e6b389fcfacd8829bc1235269527b Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <[email protected]>
Date: Sun, 20 Aug 2017 13:50:52 +1000
Subject: [PATCH] devicemapper: remove container rootfs mountPath after umount

libdm currently has a fairly substantial DoS bug that makes certain
operations fail on a libdm device if the device has active references
through mountpoints. This is a significant problem with the advent of
mount namespaces and MS_PRIVATE, and can cause certain --volume mounts
to cause libdm to no longer be able to remove containers:

  % docker run -d --name testA busybox top
  % docker run -d --name testB -v /var/lib/docker:/docker busybox top
  % docker rm -f testA
  [fails on libdm with dm_task_run errors.]

This also solves the problem of unprivileged users being able to DoS
docker by using unprivileged mount namespaces to preseve mounts that
Docker has dropped.

SUSE-Bug: https://bugzilla.suse.com/show_bug.cgi?id=1045628
SUSE-Backport: https://github.com/moby/moby/pull/34573
Signed-off-by: Aleksa Sarai <[email protected]>
---
 daemon/graphdriver/devmapper/deviceset.go | 12 ++++++++++++
 daemon/graphdriver/devmapper/driver.go    |  4 +++-
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/daemon/graphdriver/devmapper/deviceset.go 
b/daemon/graphdriver/devmapper/deviceset.go
index ba845d4d01d4..fe8103683b9b 100644
--- a/daemon/graphdriver/devmapper/deviceset.go
+++ b/daemon/graphdriver/devmapper/deviceset.go
@@ -2402,6 +2402,18 @@ func (devices *DeviceSet) UnmountDevice(hash, mountPath 
string) error {
        }
        logrus.Debug("devmapper: Unmount done")
 
+       // Remove the mountpoint here. Removing the mountpoint (in newer 
kernels)
+       // will cause all other instances of this mount in other mount 
namespaces
+       // to be killed (this is an anti-DoS measure that is necessary for 
things
+       // like devicemapper). This is necessary to avoid cases where a libdm 
mount
+       // that is present in another namespace will cause subsequent 
RemoveDevice
+       // operations to fail. We ignore any errors here because this may fail 
on
+       // older kernels which don't have
+       // torvalds/linux@8ed936b5671bfb33d89bc60bdcc7cf0470ba52fe applied.
+       if err := os.Remove(mountPath); err != nil {
+               logrus.Debugf("devmapper: error doing a remove on unmounted 
device %s: %v", mountPath, err)
+       }
+
        return devices.deactivateDevice(info)
 }
 
diff --git a/daemon/graphdriver/devmapper/driver.go 
b/daemon/graphdriver/devmapper/driver.go
index 91de5cd12a0f..69a3b3184933 100644
--- a/daemon/graphdriver/devmapper/driver.go
+++ b/daemon/graphdriver/devmapper/driver.go
@@ -227,10 +227,12 @@ func (d *Driver) Put(id string) error {
        if count := d.ctr.Decrement(mp); count > 0 {
                return nil
        }
+
        err := d.DeviceSet.UnmountDevice(id, mp)
        if err != nil {
-               logrus.Errorf("devmapper: Error unmounting device %s: %s", id, 
err)
+               logrus.Errorf("devmapper: Error unmounting device %s: %v", id, 
err)
        }
+
        return err
 }
 
-- 
2.14.1

++++++ secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch ++++++
--- /var/tmp/diff_new_pack.4KXeCw/_old  2017-09-07 22:12:03.308776327 +0200
+++ /var/tmp/diff_new_pack.4KXeCw/_new  2017-09-07 22:12:03.308776327 +0200
@@ -58,5 +58,5 @@
                        return errors.Wrap(err, "error setting ownership for 
secret")
                }
 -- 
-2.13.0
+2.14.1
 

++++++ secrets-0002-SUSE-implement-SUSE-container-secrets.patch ++++++
--- /var/tmp/diff_new_pack.4KXeCw/_old  2017-09-07 22:12:03.324774072 +0200
+++ /var/tmp/diff_new_pack.4KXeCw/_new  2017-09-07 22:12:03.324774072 +0200
@@ -1,4 +1,4 @@
-From a6d2f9f43ea02d93534867271f7fa7cf0f77e70c Mon Sep 17 00:00:00 2001
+From 9b33a267ec637d7d8a29259246033bfe1b5f47bc Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <[email protected]>
 Date: Wed, 8 Mar 2017 11:43:29 +1100
 Subject: [PATCH 2/2] SUSE: implement SUSE container secrets
@@ -13,8 +13,8 @@
 Signed-off-by: Aleksa Sarai <[email protected]>
 ---
  daemon/start.go        |   5 +
- daemon/suse_secrets.go | 246 +++++++++++++++++++++++++++++++++++++++++++++++++
- 2 files changed, 251 insertions(+)
+ daemon/suse_secrets.go | 260 +++++++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 265 insertions(+)
  create mode 100644 daemon/suse_secrets.go
 
 diff --git a/daemon/start.go b/daemon/start.go
@@ -35,10 +35,10 @@
                return err
 diff --git a/daemon/suse_secrets.go b/daemon/suse_secrets.go
 new file mode 100644
-index 000000000000..99bdbefdebcc
+index 000000000000..b577b7081976
 --- /dev/null
 +++ b/daemon/suse_secrets.go
-@@ -0,0 +1,246 @@
+@@ -0,0 +1,260 @@
 +/*
 + * suse-secrets: patch for Docker to implement SUSE secrets
 + * Copyright (C) 2017 SUSE LLC.
@@ -67,6 +67,7 @@
 +
 +      "github.com/Sirupsen/logrus"
 +      "github.com/docker/docker/container"
++      "github.com/docker/docker/pkg/idtools"
 +      "github.com/opencontainers/go-digest"
 +
 +      swarmtypes "github.com/docker/docker/api/types/swarm"
@@ -102,14 +103,26 @@
 +      }
 +}
 +
-+func (s SuseFakeFile) toSecretReference() *swarmtypes.SecretReference {
++func (s SuseFakeFile) toSecretReference(uidMaps, gidMaps []idtools.IDMap) 
*swarmtypes.SecretReference {
++      // Figure out the host-facing {uid,gid} based on the provided maps. Fall
++      // back to root if the UID/GID don't match (we are guaranteed that root 
is
++      // mapped).
++      hostUid, hostGid, _ := idtools.GetRootUIDGID(uidMaps, gidMaps)
++      if uid, err := idtools.ToHost(s.Uid, uidMaps); err == nil {
++              hostUid = uid
++      }
++      if gid, err := idtools.ToHost(s.Gid, gidMaps); err == nil {
++              hostGid = gid
++      }
++
++      // Return the secret reference as a file target.
 +      return &swarmtypes.SecretReference{
 +              SecretID:   s.id(),
 +              SecretName: s.id(),
 +              File: &swarmtypes.SecretReferenceFileTarget{
 +                      Name: s.Path,
-+                      UID:  fmt.Sprintf("%d", s.Uid),
-+                      GID:  fmt.Sprintf("%d", s.Gid),
++                      UID:  fmt.Sprintf("%d", hostUid),
++                      GID:  fmt.Sprintf("%d", hostGid),
 +                      Mode: s.Mode,
 +              },
 +      }
@@ -277,14 +290,15 @@
 +              return err
 +      }
 +
++      uidMaps, gidMaps := daemon.GetUIDGIDMaps()
 +      for _, secret := range secrets {
 +              newSecretStore.secrets[secret.id()] = secret.toSecret()
-+              c.SecretReferences = append(c.SecretReferences, 
secret.toSecretReference())
++              c.SecretReferences = append(c.SecretReferences, 
secret.toSecretReference(uidMaps, gidMaps))
 +      }
 +
 +      c.SecretStore = newSecretStore
 +      return nil
 +}
 -- 
-2.13.0
+2.14.1

commit docker for openSUSE:Factory

Reply via email to